Building an Information Security Program: Creating a Security Culture
By Deshard Stevens, Senior Director of Information Technology, NAACP Legal Defense and Educational Fund, Inc.
The threat landscape has changed significantly over the last few years. The increased use of The Internet of Things (IoT) provides more routes for threat attackers to access an organization’s network and data. The adoption and integration of AI technology have become a significant issue and will remain a challenge for the foreseeable future. As such, organizations will need to take a more proactive approach to information security. After all, information is a critical asset that must be protected from cyber threats.
Formalized Information Security Program
To take a proactive approach to information security, organizations must formalize their information security program. Information security policies and procedures should be well documented and measured against metrics that make business sense for the organization. The security program should focus on preventing, detecting, and responding to threats. Regularly updating and testing the information security program is essential for ensuring the organization is adequately prepared for any potential threats.
Having a holistic security strategy should be part of any successful information security program. Too often, organizations deploy security controls in isolation. While firewalls, intrusion detection systems (IDR), and endpoint detection and response systems (EDR) provide a level of protection, organizations leave themselves exposed to potential cyber threats absent a broader strategy. All elements of a security program, such as security policies and organizational risk, should be considered before implementing any defensive controls. With a security strategy, organizations will be able to implement their security program more effectively.
Taking a human-centric approach to security is essential for creating a strong security culture. Not only should security policies be clearly communicated to employees, but they need to understand the consequences of bad security practices.
More Than Technical Controls
There is more to information security than technical controls. Risk assessment and management is a key element to any information security program. It is important to note that risk cannot be eliminated altogether, residual risks will always remain. Conducting a risk assessment can help organizations understand potential risks they may face. Effective risk management enables organizations to prioritize these risks and deploy strategies to minimize their impact.
Access control is another element of information security. Access controls are necessary to ensure that only authorized users can obtain access to certain information. As part of the information security program, organizations should have a process to verify users and ensure appropriate access levels are granted to those users. Users should only be granted access to information that is necessary to fulfill their roles and responsibilities.
The incident response plan (IRP) is often overlooked but should be part of any information security program. The IRP outlines how an organization will respond, contain, and recover from security incidents. Without a proper plan in place, organizations will be slow to respond to incidents, which may result in more data loss, a longer downtown period, or higher costs. The IRP should be updated as the information security program matures and tested regularly.
Creating a Security Culture
Security culture can be viewed as the set of values or norms shared by everyone in an organization as they relate to how they think and approach security. Information security is a shared responsibility for everyone in the organization, not just for the IT department. Each employee must do their part to protect organizational information from cyber threats. Creating a security culture means moving beyond promoting security awareness. Being aware of security threats and how to respond to them is only one aspect of security culture.
Security culture should be integrated as a part of the organizational culture. This can aid in creating an environment where employees have the knowledge and resources to engage in proactive security practices such as reporting security incidents or reporting suspicious emails. Employees would be motivated to take part in owning their own security. In turn, the overall organizational risk will be reduced. Employees would be more likely to take steps to safeguard their work and refrain from risky behavior, such as leaving their computers unlocked or accessing confidential information from unsecured devices.
To facilitate or increase security culture, organizations need to raise awareness of the importance of security. Security should be a priority for everyone in the organization. Buy-in is needed from senior leadership to ensure security practices are embedded in the day-to-day operations of the organization. Information security education and awareness will help employees understand the value of security and equip them with the knowledge and tools needed to protect sensitive information.
The Role of Culture in Information Security
When it comes to information security, the human factor will continue to be an area of vulnerability that can be exploited. About 70-75% of data breaches are the result of human error. By fostering an environment of security culture, employees will be empowered to detect and report security threats. Culture brings together an understanding that employees are the first line of defense against potential cyber threats.
Taking a human-centric approach to security is essential for creating a strong security culture. Not only should security policies be clearly communicated to employees, but they need to understand the consequences of bad security practices. Explain to them why security is essential to their role within the organization. After all, it’s the employees that make an organization secure.